$2m-a-year Koobface network downed after concerted international effort
1
NEWS 7 NOVEMBER/DECEMBER 2010 $2m-a-year Koobface network downed after concerted international effort The command and control servers for a Koobface botnet swarm, which reportedly raked in $2 million a year for its operators, were closed down in mid-November, following a concerted effort by industry experts and law enforcement officials on both sides of the Atlantic. The investigation culminated in the closure of the C&C servers by UK ISP Coreix on 12 November and, according to an in-depth report by a team of specialists from Information Warfare Monitor, the annual revenues generated by the cybercriminals – who are thought to be based in Russia – was split evenly between scareware/fake anti-virus software and mis-routed advertising on search engines. As reported previously, the Koobface worm was discovered in December 2008, but since then it has undergone many changes. Named as an anagram of the Facebook social networking site, Koobface’s success is centered on the fact that Facebook has in excess of a half a billion users worldwide. According to security researcher Nart Villeneuve and his team’s report, “thousands of compromised computers networked together with an invisible tether, controlled by a few individuals, can be employed to extract pennies from unsuspecting victims, as it was with Koobface, or sensitive national security documents from government agencies, as it was with GhostNet and Shadows.” The report says criminal networks are growing as fast as the social networking platforms upon which they parasitically feed. Koobface, notes the report, is just one example of an entire ecosystem that threatens to put at risk the very entity on which it depends – a free and open cyberspace. Against this backdrop, Villeneuve and his team say that the problem is how to clean up and control cyberspace without undermining the positive characteristics of social networking we have all come to enjoy. A report in the Financial Times noted that Koobface generally spreads when an infected machine uses a victim’s social network accounts to send messages to friends, urging them to watch a video. “The link usually asks the message recipient to download a programme in order to watch; that programme is actually Koobface”, said the FT. Villeneuve and his team are reported to have discovered the mobile numbers of four of the Koobface botnet gang’s members, and turned over their results to the authorities in Canada. Infosecurity’s sources suggest that the FBI and the Metropolitan Police’s cybercrime unit were also involved in the investigation, which remains ongoing. Villeneuve is quoted as saying that poor international co-operation and the small sums involved in each fraud meant that prosecution was unlikely in the case. In the report’s conclusions, the Canadian team says that, by compromising users, Koobface was able to successfully monetise the criminal’s operation through the use of affiliate programmes with PPC and PPI brokers. “Through a combination of click fraud and the propagation of rogue security software, Koobface was able to generate over $2m between June 2009 and June 2010”, noted the report. The report concluded that just as the botnet operators diversify their operations across multiple affiliate programmes, it is likely that each affiliate also has multiple botnet clients that propagate malicious software or advertising links. “This provides a layer of redundancy within the malware ecosystem and allows botnet operators to continue monetising their operations even if some partnerka programmes are disrupted. This makes efforts to counter botnet operations difficult”, the report said. Google Android security exploit made public by researcher An IT security researcher has reportedly released the source code that could allow a hacker to gain remote access to a Google Android smartphone across the internet. The researcher – MJ Keith of Alert Logic – apparently released the attack code, which he had previously talked about with journalists, at the HouSecCon security conference in November in Houston, Texas. Reporting on this interesting turn of events, Robert McMillan of Techworld, said that the attack code could be used to compromise Android 2.1 – and earlier – driven smartphones. “Keith says he has written code that allows him to run a simple command line shell in Android when the victim visits a website that contains his attack code”, he said. As previously reported by Infosecurity, the security bug centres on a flaw in the WebKit browser engine used by the Google Android smartphone operating system, as well as Google’s Chrome web browser client. The exploit’s modus operandi appears to be similar to the ‘onmouseover’ flaw seen on Twitter back in September. McMillan quotes Google as being aware of the flaw, but cites the company as saying it only affects older versions of the smartphone operating system, noting that Android 2.2 is running on more than 36% of Android smartphones. There appears to be a spot of good news, however, as McMillan claims that, since “Android walls off different components of the operating system from each other, Keith’s browser exploit does not give him full, root access to a hacked phone. But he can access anything that the browser can read”, he noted.
Transcript of $2m-a-year Koobface network downed after concerted international effort
NEWS
7NOVEMBER/DECEMBER 2010
$2m-a-year Koobface network downed after concerted international effortThe command and control servers for a Koobface botnet swarm,
which reportedly raked in $2 million a year for its operators, were
closed down in mid-November, following a concerted effort by
industry experts and law enforcement officials on both sides of the
Atlantic.
The investigation culminated in the closure of the C&C servers
by UK ISP Coreix on 12 November and, according to an in-depth
report by a team of specialists from Information Warfare Monitor,
the annual revenues generated by the cybercriminals – who
are thought to be based in Russia – was split evenly between
scareware/fake anti-virus software and mis-routed advertising on
search engines.
As reported previously, the Koobface worm was discovered in
December 2008, but since then it has undergone many changes.
Named as an anagram of the Facebook social networking site,
Koobface’s success is centered on the fact that Facebook has in
excess of a half a billion users worldwide.
According to security researcher Nart Villeneuve and his team’s
report, “thousands of compromised computers networked together
with an invisible tether, controlled by a few individuals, can be
employed to extract pennies from unsuspecting victims, as it was with
Koobface, or sensitive national security documents from government
agencies, as it was with GhostNet and Shadows.”
The report says criminal networks are growing as fast as the social
networking platforms upon which they parasitically feed. Koobface,
notes the report, is just one example of an entire ecosystem that
threatens to put at risk the very entity on which it depends – a free
and open cyberspace.
Against this backdrop, Villeneuve and his team say that the
problem is how to clean up and control cyberspace without
undermining the positive characteristics of social networking we have
all come to enjoy.
A report in the Financial Times noted that Koobface generally
spreads when an infected machine uses a victim’s social network
accounts to send messages to friends, urging them to watch a video.
“The link usually asks the message recipient to download a
programme in order to watch; that programme is actually Koobface”,
said the FT.
Villeneuve and his team are reported to have discovered the
mobile numbers of four of the Koobface botnet gang’s members, and
turned over their results to the authorities in Canada.
Infosecurity’s sources suggest that the FBI and the Metropolitan
Police’s cybercrime unit were also involved in the investigation, which
remains ongoing.
Villeneuve is quoted as saying that poor international co-operation
and the small sums involved in each fraud meant that prosecution
was unlikely in the case.
In the report’s conclusions, the Canadian team says that, by
compromising users, Koobface was able to successfully monetise
the criminal’s operation through the use of affiliate programmes with
PPC and PPI brokers.
“Through a combination of click fraud and the propagation of
rogue security software, Koobface was able to generate over $2m
between June 2009 and June 2010”, noted the report.
The report concluded that just as the botnet operators diversify
their operations across multiple affiliate programmes, it is likely
that each affiliate also has multiple botnet clients that propagate
malicious software or advertising links.
“This provides a layer of redundancy within the malware
ecosystem and allows botnet operators to continue monetising
their operations even if some partnerka programmes are
disrupted. This makes efforts to counter botnet operations
difficult”, the report said.
Google Android security exploit made public by researcherAn IT security researcher has reportedly released the source code
that could allow a hacker to gain remote access to a Google Android
smartphone across the internet.
The researcher – MJ Keith of Alert Logic – apparently released the
attack code, which he had previously talked about with journalists, at
the HouSecCon security conference in November in Houston, Texas.
Reporting on this interesting turn of events, Robert McMillan of
Techworld, said that the attack code could be used to compromise
Android 2.1 – and earlier – driven smartphones.
“Keith says he has written code that allows him to run a simple
command line shell in Android when the victim visits a website that
contains his attack code”, he said.
As previously reported by Infosecurity, the security bug centres
on a flaw in the WebKit browser engine used by the Google Android
smartphone operating system, as well as Google’s Chrome web
browser client.
The exploit’s modus operandi appears to be similar to the
‘onmouseover’ flaw seen on Twitter back in September.
McMillan quotes Google as being aware of the flaw, but cites the
company as saying it only affects older versions of the smartphone
operating system, noting that Android 2.2 is running on more than
36% of Android smartphones.
There appears to be a spot of good news, however, as
McMillan claims that, since “Android walls off different
components of the operating system from each other, Keith’s
browser exploit does not give him full, root access to a hacked
phone. But he can access anything that the browser can read”,
he noted.
